Optimizing Iceweasel/Firefox for privacy

Posted on 2013-12-01

Ever noticed an apparel that you looked up on a website showing up as an Ad when you are browsing another website? What is going on here? How did a web page show you ads for products you visited on a totally different website?

Partly this is the work of those facebook like buttons and Google’s +1 buttons. Let us say you were logged into facebook on a browser tab. Now you visit many other pages on other tabs. Some of these pages make have the “like” buttons. Now, here is the deal: Every time you visit a page, a series of HTTP GET requests are made by the browser to get the elements (like images etc) on the page. Facebook knows from the cookies that who you are. Now they also get a HTTP GET request for a button along with this cookie and the referrer URL, so they know which website this button appears in and that you visited that page.

In fact, facebook’s data usage policy page explicitly states this:

Advertisers and their partners sometimes use cookies or other
similar technologies in order to serve and measure ads and
to make their ads more effective. Learn more about cookies,
pixels and similar technologies. 

A few very interesting links/papers on the subject are here:

Here are a few plug-ins I use with Iceweasel (that’s the name of the popular Firefox browser on the Debian GNU/Linux system) that help in making web browsing, a pleasant experience.

0. Enable Tracking Protection in Firefox

[Added on 24/May/2015: Mozilla researchers have written this nice paper on an inbuilt browser feature to provide tracking protection for the users.

Apropos the above referenced paper, do about:config and set privacy.trackingprotection.enabled to true.

1. Adblock Edge

Adblock Edge(ABE) is a fork of the excellent Adblock Plus (ABP). AdBlock Plus sold out to Ad companies like Google and included a bunch of ads in their whitelist. ABE is a fork before they made the change. I guess we are indebted to ABP author for the great contribution. ABE with “EasyPrivacy” and “EasyList” filters can make the web browsing experience a lot lot nice! To see the difference, try browsing a few popular websites with and without ABE for a day.

Update (18/May/2015)

The Adblock-Edge page says they are deprecating the extension and recommend users to switch to uBlock. So, I switched to uBlock. Pages load significantly faster now than before.


2. HTTPS Everywhere

HTTPS Everywhere is a plugin to force https protocol if it is available, for safe and secure browsing. Most websites which requires one to login (like email, banking etc..) all implement https. But some still don’t or give an option for http vs https. In such cases, this plugin forces the use of https.


3. Duck Duck Go search widget

I had been trying to move away from Google for most of my daily browsing needs including search. Duck Duck Go search quality has been improving steadily and is very much usable for most purposes. DDG explicitly has privacy of its users as one of their goals. They are a company like Google, so they can change their policies (like the way Google did with the “don’t be evil” goal). So, watch out. Until then, enjoy DDG. Unlike Google, DDG does not wrap URLs in the search results with a redirector to track clicks.


4. Greasemonkey + NoScript

It is interesting to see the amount of code we execute on our machines without explicitly invoking a program. Every webpage include a number of JavaScript files which gets downloaded and executed when we visit websites. What do those JavaScript files do? Some of them are libraries like JQuery. Some of them are explicitly there to track users (like the Google Analytics scripts). We, the users, should have control on what should run on our machine and tracking should be opt-in, rather than opt-out.

It is also well known that a user can be uniquely identified from the Browser’s user agent string.

A number of websites work quite nicely without any JavaScript at all. GMail has a mode which works well without JavaScript. But unfortunately many don’t work well (like Amazon.com, for instance). But with NoScript, one could make this experience less painful.

Install Greasemonkey Install NoScript

5. RefControl

Everytime one clicks a URL on a webpage, which takes us to another page in the same website or a different website alltogether, the HTTP request message also sends a Referrer header which tells the website, where the request came from. This is a crucial piece of the puzzle in constructing a graph of anyone’s web browsing habbits. We could turn off those referral requests with the RefControl plugin.


6. Privacy Badger

Privacy Badger is an extension authored by the programmers at the EFF that blocks third party cookies that do not respect the “Do not track” flag. This extension, being from EFF, makes me trust this a lot more than other ones from for-profit companies. Thanks to Anand Pillai for the tip.


7. Self-Destructing cookies

This add-on helps to get rid of those cookies that tend to otherwise persist on one’s machine and helps track the web usage. As soon as one closes the tabs, this add-on removes the corresponding cookies.

I used to use an add-on called Beef-Taco for this purpose, but now I use “Self- Destructing cookies” add-on.


8. Other Misc settings

A few other tips:

  1. Turn On the private browsing mode in the browser if you don’t want to store the history. Some people like to have the history to make their browsing experience easy and it has its own merits and demerits. I visit facebook only on a browser in private browsing mode. This is not enough. One also need to make sure that no other websites are visited while the facebook page is open in a tab. One need not worry about logging off. If one closes a browser in private browsing mode, no cookies are stored, so the “like” buttons on other websites cannot track the identity. (Remember, they still can profile a user based on the User Agent string)

    I also clear history and cookies when I quit the browser. This can be set up on Firefox preferences.

  2. Turn on the “Do not Track” option. Both Firefox and Chrome has this option. But make sure that you turn the DNT option on, it may not be on by default.

  3. I also turn on the option to “never accept third party cookies”. (Well, actually I turn off the option to “never accept third party cookies”).

  4. Use a browser that has its source code published as Free Software. This means, Firefox or variants, Chromium, or one of those webkit derivatives like Epiphany. Note that Google Chrome is not Free Software but Chromium is. Mozilla is a non-profit corporation and I trust them more with protecting the web users than a for-profit corporation that explicitly wants to know everything about everyone.

    Google has access to your emails(Isn’t it ironic that they filter out email SPAM and show you spam in the form of ads on the side?), your likes/dislikes/opinions, your location and also your DNA. They also wants to know what you see and also track your eye movements within the screen and elsewhere. The Moto-X phone from Motorola/Google has its microphones on all the time reportedly to take voice commands. But it is also the new stark reality. In the name of convenience, people are enticed to give up their privacy.

  5. Tor onion router is one of the best guard against censorship and tracking. There are many ways to use Tor along with Firefox at the cost of a bit of latency. I like to use the OS Distribution called Tails on a USB stick when browsing from an internet cafe. Tails is a special GNU/Linux based distribution that can be installed on a USB stick, which has a bunch of privacy tools built in, including a special version of Firefox with Tor button enabled.

  6. Turn on the “Block pop-up” windows option to block the annoying popups.

  7. Install only those extensions that have their source code published. It is a bit hard to find that from the Firefox add-on page. One has to go to the specific page for an add on and look under “Version Information”. Chose only those extensions that is made available under a Free Software license. Remember that browser is a very critical piece of software used by anyone in their daily work flow and it is extremely important that we don’t leave it to others to decide on the issues related to privacy.

  8. YouTube has become as anoying as the regular Idiot Box these days with a lot of ads before and in-between the videos. I use YouTube Center to get rid of them and also give me a few other features like download the videos for offline viewing and so on. Not related to privacy per se, but helps in making YouTube video viewing, a better experience. It is highly likely that YouTube may do something to break this extension by changing their protocol, so that show the ads and the developer has to play a catchup game.

  9. There is another Firefox plugin called RequestPolicy that can catch cross site requests. It is recommended for security paranoids. It gives information on the connections made by a website into other domain names (eg: http://foobar.org making connections to Google Analytics website). These connections are reported and can be blocked as well.

  10. If you are concious about your privacy on the Internet (which every Internet user should), you should read the articles on the Electronic Frontier Foundation.